[Asterisk-Users] (newby) Asterisk on the open internet & security

Cosmin Prund cosmin at adicomsoft.ro
Sun Feb 5 15:16:33 MST 2006


> Hey,
> 
> We are running asterisk on the internet, allowing sip phones
> at customers locations/laptops etc login and use the calls.
> Just make sure to disallow sip users/peers without valid
> user/secret in the extensions.conf
> (something like this in sip.conf)
> [general]
> context = sip-default
> (and in extensions.conf)
> [sip-default]
> exten => s,1,Hangup()

So this trick allows an anonymous connection onto the * and next it closes
the connection (Hangup). Isn't it possible to make Asterisk completely
reject a connection if no credentials can be accepted? (Is Hangup()
technically the same considering Asterisk uses UDP for SIP?)

> If you dont trust and fear someone is sniffing your udp
> packets that hold user/secret, you can always setup openvpn
> (or whatever vpn solution) and use that to connect first and
> tunnel your sip traffic through it

Yep, this is an other problem. I might after all allow connections from
unrecognized sip phones go to my operator (mabe they're clients!), but
sending "clear text" passwords over udp packets is not nice at all. As with
other things in life, I don't think anyone's actually actively tracking my
moves and trying to hack into my network, but I am afraid of "IT hooligans"
detecting my UDP packet on it's way from my home to my office and hacking it
just to prove it's possible.

Trying to find my own way through this maze I came across this page:

http://www.voip-info.org/wiki-SIP+Authentication

...and I ask: What kind of authentication does Asterisk provide with SIP? Is
it digest or basic? If it's digest - it's fine with me. If it's basic - I'll
have to set up some more "barriers" for calls coming over the public network
(like asking for a password from the IVR, before allowing any kind of
outgoing calls). 

I will not be using any kind of VPN because of the extra bandwidth required.

> --
> Michiel van Baak
> http://michiel.vanbaak.info
> michiel at vanbaak.info
> GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
> 
> "Why is it drug addicts and computer afficionados are both called users?"
> 
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> Asterisk-Users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list